Council of the European Union Brussels, 26 June 2015 (OR. en) 9985/1/15 REV 1
Interinstitutional File: 2012/0011 (COD)
LIMITE DATAPROTECT 103 JAI 465 MI 402 DIGIT 52 DAPIX 100 FREMP 138 COMIX 281 CODEC 888
NOTE From: To:
Incoming Presidency Working Group on Information Exchange and Data Protection (DAPIX)
No. prev. doc.:
5853/12
Subject:
Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) - Preparation for trilogue
1.
Introduction
On 25 January 2012, the Commission adopted its proposal for a General Data Protection Regulation (5853/12). The new Regulation is intended to replace Directive 95/46/EC. The twofold aim of the Regulation is to enhance data protection rights of individuals and to improve the environment for businesses by facilitating the free flow of personal data in the digital single market and increasing the trust of users.
In parallel with the proposal for a General Data Protection Regulation, the Commission adopted a Directive on data processing for law enforcement purposes (5833/12). The new directive is intended to replace the 2008 Data Protection Framework Decision.
9985/1/15 REV 1
VH/np DGD 2C
LIMITE
1
EN
The European Parliament adopted its first reading positions on the proposals for a data protection Regulation and a data protection Directive on 12 March 2014. On 15th June 2015, the JHA Council agreed on a General Approach (9565/15) on the proposal for a General Data Protection Regulation, following several partial general approaches, thereby giving to the Presidency a negotiating mandate to enter into trilogues with Parliament.
2.
Preparation for trilogues
Further to the adoption of the General Approach at the JHA Council meeting of 15th June 2015, a kick-off trilogue meeting was held on 24th June 2015. A roadmap setting out the organisation of works for the trilogue phase was agreed with the objective to conclude the negotiations by the end of 2015. Furthermore, the three institutions expressed their commitment to the package approach and agreed that each delegated or implementing act be dealt with in the context of the provision they relate to. The next trilogue is scheduled for 14th July 2015 and will focus on - Article 3(2) – Territorial scope - Article 25 – Representatives of controllers not established in the Union - Chapter V – Transfers of personal data to third countries or international organisations - Relevant definitions in Article 4, in particular definition (14) on ‘representative’
In Annex appears the four column table which reflects the Commission proposal the European Parliament's first reading position and the Council's General Approach on the provisions that will be discussed in this trilogue.
Provisions relating to codes of conduct (articles 38 and 38a) and certification (articles 39 and 39a) will be discussed in relation to Chapter IV. The General Approach reached on 15th June 2015 constitutes the basis of the negotiation mandate for the incoming Presidency in the trilogue. With a view to preparing this trilogue, the incoming Presidency invites delegations to discuss the following issues in order of appearance with a view to finding compromises.
9985/1/15 REV 1
VH/np DGD 2C
LIMITE
2
EN
a) The basic criteria for transferring personal data to a third country or an international organisation is that the latter provides for an adequate level of protection in relation to the data being transferred.
Article 41 paragraph 3 of the Council’s General Approach empowers the Commission to adopt implementing acts in order to adopt such adequacy decisions with regard to a third country, or a territory or one or more specified sectors within that third country, or an international organisation.
The Commission proposal follows the same approach. The European Parliament has provided for a delegated act.
Article 41 paragraph 5 of the Council’s General Approach empowers the Commission to adopt implementing acts in order to decide that a third country, or a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection.
The Commission proposed that such decisions may be taken when a third country or international organisation does not ensure an adequate level of protection. The European Parliament has provided for a delegated act on decisions when there is no (longer an) adequate level of protection.
The incoming Presidency recalls that, in accordance with Article 290 TFEU, delegated acts may only amend “non-essential elements” of a legislative act. Further, in accordance with Article 291 TFEU, implementing acts are required in order to ensure uniform conditions for the implementation of a legislative act1.
In view of the above, delegations are invited to confirm the Council’s General Approach with regard to these provisions.
1
On the distinction between delegated and implementing acts, see in particular Council Legal Service Opinion doc. 8970/11 (paragraphs 14 to 18).
9985/1/15 REV 1
VH/np DGD 2C
LIMITE
3
EN
b) In Article 41(3a) relating to transfers with an adequacy decision, the Council’s General Approach provides for a so-called grandfather clause when it comes to existing adequacy decisions, taken on the basis of Article 25(6) of Directive 95/46/EC. This reflects the Commission proposal. The European Parliament takes a different approach by providing for a sunset clause in Article 41(8).
In Article 42(5b) relating to transfers by way of appropriate safeguards, the Council’s General Approach provides for a so-called grandfather clause when it comes to existing authorisations by Member States or DPAs taken on the basis of Article 26(2) of Directive 95/46 and to Commission decisions taken on the basis of Article 26(4) of Directive 95/46.
This reflects the Commission proposal. The European Parliament takes a different approach by providing for a sunset clause in Article 42(5).
With a view to ensuring legal certainty for both controllers and data subjects, delegations are invited to confirm the Council’s General Approach with regard to these provisions.
c) The European Parliament agreed on some provisions which are not included in the Council’s General Approach. The incoming Presidency would therefore welcome comments from delegations on the following issues:
-
Article 43a (new) concerning data transfers or disclosures not authorized by Union law;
-
Article 45a (new) concerning regular reporting by the Commission.
d) Member States are invited to comment on any other issues pertaining to the articles in annex which they deem important in view to the trilogue on 14th July 2015.
9985/1/15 REV 1
VH/np DGD 2C
LIMITE
4
EN
ANNEX Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012)0011 / 2012/0011 (COD) Below delegations find the explanations of the formatting used in the four column table. 1)
2)
EP’s column :
the new text is marked in bold italics, the deleted parts of the text are marked in strikethrough, the identical with the Commission is marked with a diagonal line in the box Comments / compromise suggestions
COM (2012)0011
EP Position / First Reading
Council General Approach (15/06/2015)
These developments require building a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance to create the trust that ….
(6) These developments require building a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance to create the trust that ...
(6) These developments require building a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance to of create creating the trust that ....
Council’s column:
9985/1/15 REV 1 ANNEX
the new text is marked in bold italics, the deleted parts of the text are marked in strikethrough, the parts of the text that have been moved up or down are marked in bold.
VH/np DGD 2C
5
LIMITE
EN
3)
4th column:
the diagonal line in the box indicates that the text is identical for all three institutions. Comments / compromise suggestions
COM (2012)0011
EP Position / First Reading
Council General Approach (15/06/2015)
The protection of natural persons in relation to the processing of personal data is …
(1) The protection of natural persons in relation to the processing of personal data is …
(1) The protection of natural persons in relation to the processing of personal data is …
COM (2012)0011
EP Position / First Reading
Council General Approach (15/06/2015)
Proposal for a
Proposal for a
Proposal for a
Comments / compromise suggestions
REGULATION OF THE REGULATION OF THE REGULATION OF THE EUROPEAN PARLIAMENT AND EUROPEAN PARLIAMENT AND EUROPEAN PARLIAMENT AND OF THE COUNCIL OF THE COUNCIL OF THE COUNCIL Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) and Article 114(1) thereof,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) and Article 114(1) thereof,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) and Article 114(1) thereof,
Having regard to the proposal from the European Commission,
Having regard to the proposal from the European Commission,
Having regard to the proposal from the European Commission,
......
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
6
LIMITE
EN
(19) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union or not. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in this respect.
9985/1/15 REV 1 ANNEX
(19) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union or not. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in this respect.
(19) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union or not. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in this respect.
VH/np DGD 2C
7
LIMITE
EN
Amendment 4 (20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects.
9985/1/15 REV 1 ANNEX
(20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services, irrespective of whether connected to a payment or not, to such data subjects, or to the monitoring of the behaviour of such data subjects. In order to determine whether such a controller is offering goods or services to such data subjects in the Union, it should be ascertained whether it is apparent that the controller is envisaging the offering of services to data subjects in one or more Member States in the Union.
(20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects irrespective of whether connected to a payment or not, which takes place in the Union. In order to determine whether such a controller is offering goods or services to such data subjects in the Union, it should be ascertained whether it is apparent that the controller is envisaging doing business with data subjects
VH/np DGD 2C
8
LIMITE
EN
residing in one or more Member States in the Union. Whereas the mere accessibility of the controller’s or an intermediary’s website in the Union or of an email address and of other contact details or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, and/or the mentioning of customers or users residing in the Union, may make it apparent that the controller envisages offering goods or services to such data subjects in the Union.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
9
LIMITE
EN
Amendment 5 (21) In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked on the internet with data processing techniques which consist of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
9985/1/15 REV 1 ANNEX
(21) In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked on the internet with, regardless of the origins of the data, or if other data about them are collected, including from public registers and announcements in the Union that are accessible from outside of the Union, including with the intention to use, or potential of subsequent use of data processing techniques which consist of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
(21) The processing of personal data of data subjects residing in the Union by a controller not established in the Union should also be subject to this Regulation when it is related to the monitoring of their behaviour taking place within the European Union. In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked on the internet with data processing techniques which consist of applying a ‘profile’ to profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
VH/np DGD 2C
10
LIMITE
EN
(22) Where the national law of a Member State applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.
(22) Where the national law of a Member State applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.
(22) Where the national law of a Member State applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.
(78) Cross-border flows of personal data are necessary for the expansion of international trade and international co-operation. The increase in these flows has raised new challenges and concerns with respect to the protection of personal data. However, when personal data are transferred from the Union to third countries or to international organisations, the level of protection of individuals guaranteed in the Union by this Regulation should not be undermined. In any event, transfers to third countries may only be carried out in full compliance with this Regulation.
(78) Cross-border flows of personal data are necessary for the expansion of international trade and international co-operation. The increase in these flows has raised new challenges and concerns with respect to the protection of personal data. However, when personal data are transferred from the Union to third countries or to international organisations, the level of protection of individuals guaranteed in the Union by this Regulation should not be undermined. In any event, transfers to third countries may only be carried out in full compliance with this Regulation.
(78) Cross-border flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international co-operation. The increase in these flows has raised new challenges and concerns with respect to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of individuals guaranteed in the Union by this Regulation should not be
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
11
LIMITE
EN
undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer may only take place if, subject to the other provisions of this Regulation, the conditions laid down in Chapter V are complied with by the controller or processor.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
12
LIMITE
EN
Amendment 53 (79) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects.
9985/1/15 REV 1 ANNEX
(79) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects ensuring an adequate level of protection for the fundamental rights of citizens
(79) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of EU law and include safeguards to protect the rights of the data subjects.
VH/np DGD 2C
13
LIMITE
EN
Amendment 54 (80) The Commission may decide with effect for the entire Union that certain third countries, or a territory or a processing sector within a third country, or an international organisation, offer an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third countries or international organisations which are considered to provide such level of protection. In these cases, transfers of personal data to these countries may take place without needing to obtain any further authorisation.
9985/1/15 REV 1 ANNEX
(80) The Commission may decide with effect for the entire Union that certain third countries, or a territory or a processing sector within a third country, or an international organisation, offer an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third countries or international organisations which are considered to provide such level of protection. In these cases, transfers of personal data to these countries may take place without needing to obtain any further authorisation. The Commission may also decide, having given notice and a complete justification to the third country, to revoke such a decision.
(80) The Commission may decide with effect for the entire Union that certain third countries, or a territory or a processing specified sector, such as the private sector or one or more specific economic sectors within a third country, or an international organisation, offer an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third countries or international organisations, which are considered to provide such level of protection. In these cases, transfers of personal data to these countries may take place without needing to obtain any further authorisation.
VH/np DGD 2C
14
LIMITE
EN
(81) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, take into account how a given third country respects the rule of law, access to justice as well as international human rights norms and standards.
9985/1/15 REV 1 ANNEX
(81) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, take into account how a given third country respects the rule of law, access to justice as well as international human rights norms and standards.
(81) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the a third country or of a territory or of a specified sector within a third country, take into account how a given third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision to a territory or a specified sector in a third country should take into account clear and objective criteria , such as specific processing activities and the scope of applicable legal standards and legislation in force in the third
VH/np DGD 2C
15
LIMITE
EN
country. The third country should offer guarantees that ensure an adequate level of protection in particular when data are processed in one or several specific sectors. In particular, the third country should ensure effective data protection supervision and should provide for cooperation mechanisms with the European data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress. (81a) Apart from the international commitments the third country or international organisation has entered into, the Commission should also take account of obligations arising from the third country’s or international organisation’s participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular the third country’s accession to the Council of Europe Convention of 28 January 1981 for the Protection of
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
16
LIMITE
EN
Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult with the European Data Protection Board when assessing the level of protection in third countries or international organisations. (81b) The Commission should monitor the functioning of decisions on the level of protection in a third country or a territory or specified sector within a third country, or an international organisation, including decisions adopted on the basis of Article 25(6) or Article 26 (4) of Directive 95/46/EC. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any pertinent findings to the Committee within the meaning of Regulation (EU) No 182/2011 as established under this Regulation.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
17
LIMITE
EN
Amendment 55 (82) The Commission may equally recognise that a third country, or a territory or a processing sector within a third country, or an international organisation offers no adequate level of data protection. Consequently the transfer of personal data to that third country should be prohibited. In that case, provision should be made for consultations between the Commission and such third countries or international organisations.
9985/1/15 REV 1 ANNEX
(82) The Commission may equally recognise that a third country, or a territory or a processing sector within a third country, or an international organisation offers no adequate level of data protection. Any legislation which provides for extra-territorial access to personal data processed in the Union without authorisation under Union or Member State law should be considered as an indication of a lack of adequacy. Consequently the transfer of personal data to that third country should be prohibited. In that case, provision should be made for consultations between the Commission and such third countries or international organisations.
(82) The Commission may equally recognise that a third country, or a territory or a processing specified sector within a third country, or an international organisation offers no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements of Articles 42 to 44 are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.
VH/np DGD 2C
18
LIMITE
EN
Amendment 56 (83) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority, or other suitable and proportionate measures justified in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations and where authorised by a supervisory authority.
9985/1/15 REV 1 ANNEX
(83) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority, or other suitable and proportionate measures justified in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations and where authorised by a supervisory authority. Those appropriate safeguards should uphold a respect of the data subject’s rights adequate to intra-EU processing, in particular relating to purpose limitation, right to access, rectification, erasure and
(83) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or ad hoc contractual clauses authorised by a supervisory authority, or other suitable and proportionate measures justified in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations and where authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects, including the right to obtain effective administrative or
VH/np DGD 2C
19
LIMITE
EN
to claim compensation. Those safeguards should in particular guarantee the observance of the principles of personal data processing, safeguard the data subject’s rights and provide for effective redress mechanisms, ensure the observance of the principles of data protection by design and by default, guarantee the existence of a data protection officer.
9985/1/15 REV 1 ANNEX
judicial redress. They should relate in particular to compliance with the general principles relating to personal data processing, the availability of enforceable data subject's rights and of effective legal remedies and the principles of data protection by design and by default. Transfers may be carried out also by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding. The authorisation of the competent supervisory authority should be obtained when the safeguards are adduced in non legally binding administrative arrangements.
VH/np DGD 2C
20
LIMITE
EN
Amendment 57 (84) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects.
9985/1/15 REV 1 ANNEX
(84) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses or supplementary safeguards as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. The standard data protection clauses adopted by the Commission could cover different situations, namely transfers from controllers established in the Union to controllers established outside the Union and from controllers established in the
(84) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract, including in a contract between the processor and another processor, nor to add other clauses or additional safeguards as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects.
VH/np DGD 2C
21
LIMITE
EN
Union to processors, including subprocessors, established outside the Union. Controllers and processors should be encouraged to provide even more robust safeguards via additional contractual commitments that supplement standard protection clauses. Amendment 58 (85) A corporate group should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same corporate group of undertakings, as long as such corporate rules include essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
9985/1/15 REV 1 ANNEX
(85) A corporate group should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same corporate group of undertakings, as long as such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data
(85) A corporate group or a group of enterprises engaged in a joint economic activity should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same corporate group of undertakings or group of enterprises, as long as such corporate rules include essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
VH/np DGD 2C
22
LIMITE
EN
Amendment 59 (86) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In this latter case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients.
9985/1/15 REV 1 ANNEX
(86) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In this latter case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.
(86) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his explicit consent, where the transfer is necessary occasional in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In this latter case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients.
VH/np DGD 2C
23
LIMITE
EN
Amendment 60 (87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences.
9985/1/15 REV 1 ANNEX
(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters or for public health, or to competent public authorities for the prevention, investigation, detection and prosecution of criminal offences, including for the prevention of money laundering and the fight against terrorist financing. A transfer of personal data should equally be regarded as lawful where it is necessary to protect an interest which is essential for the data subject’s or another person’s life, if the data subject is incapable of giving consent. Transferring personal data for such important grounds of public interest should only be used for occasional transfers. In each and every case, a careful
(87) These derogations rules should in particular apply to data transfers required and necessary for the protection of important grounds reasons of public interest, for example in cases of international data transfers exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offencesfor public health, for example in case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. A transfer of personal data should equally be regarded as lawful where it is necessary to protect an interest which is essential for the data subject’s or another person’s vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union law or
VH/np DGD 2C
24
LIMITE
EN
assessment of all circumstances of the transfer should be carried out.
9985/1/15 REV 1 ANNEX
Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organization. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation, such as a National Society of the Red Cross or to the ICRC of personal data of a data subject who is physically or legally incapable of giving consent, with the view to accomplishing a task incumbent upon the International Red Cross and Red Crescent Movement under the Geneva Conventions and/or to work for the faithful application of international humanitarian law applicable in armed conflicts could be considered as necessary for an important reason of public interest or being in the vital interest of the data subject.
VH/np DGD 2C
25
LIMITE
EN
Amendment 61 (88) Transfers which cannot be qualified as frequent or massive, could also be possible for the purposes of the legitimate interests pursued by the controller or the processor, when they have assessed all the circumstances surrounding the data transfer. For the purposes of processing for historical, statistical and scientific research purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration.
9985/1/15 REV 1 ANNEX
(88) Transfers which cannot be qualified as frequent or massive, could also be possible for the purposes of the legitimate interests pursued by the controller or the processor, when they have assessed all the circumstances surrounding the data transfer. For the purposes of processing for historical, statistical and scientific research purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration.
(88) Transfers which cannot be qualified as large scale or frequent or massive, could also be possible for the purposes of the legitimate interests pursued by the controller or the processor, when they have those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller or the processor has assessed all the circumstances surrounding the data transfer. The controller or processor should give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced suitable safeguards to protect fundamental rights and freedoms of natural persons with respect to processing of their personal data. For the purposes of processing for
VH/np DGD 2C
26
LIMITE
EN
historical, statistical and scientific research purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. To assess whether a transfer is large scale or frequent the amount of personal data and number of data subjects should be taken into account and whether the transfer takes place on an occasional or regular basis. Amendment 62 (89) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred.
9985/1/15 REV 1 ANNEX
(89) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with a legally binding guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once those data have been
(89) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred.
VH/np DGD 2C
27
LIMITE
EN
transferred, to the extent that the processing is not massive, not repetitive and not structural. That guarantee should include financial indemnification in cases of loss or unauthorised access or processing of the data and an obligation, regardless of national legislation, to provide full details of all access to the data by public authorities in the third country. Amendment 63 (90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. . Transfers should only be allowed
9985/1/15 REV 1 ANNEX
(90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. Transfers should only be allowed where the conditions
(90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. Transfers should only be allowed where the conditions
VH/np DGD 2C
28
LIMITE
EN
where the conditions of this Regulation for a transfer to third countries are met. This may inter alia be the case where the disclosure is necessary for an important ground of public interest recognised in Union law or in a Member State law to which the controller is subject. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated act.
9985/1/15 REV 1 ANNEX
of this Regulation for a transfer to third countries are met. This may inter alia be the case where the disclosure is necessary for an important ground of public interest recognised in Union law or in a Member State law to which the controller is subject. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated act. In cases where controllers or processors are confronted with conflicting compliance requirements between the jurisdiction of the Union on the one hand, and that of a third country on the other, the Commission should ensure that Union law takes precedence at all times. The Commission should provide guidance and assistance to the controller and processor, and it should seek to resolve the jurisdictional conflict with the third country in question.
of this Regulation for a transfer to third countries are met. This may inter alia be the case where the disclosure is necessary for an important ground of public interest recognised in Union law or in a Member State law to which the controller is subject. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated act.
VH/np DGD 2C
29
LIMITE
EN
(91) When personal data moves across borders it may put at increased risk the ability of individuals to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts.
9985/1/15 REV 1 ANNEX
(91) When personal data moves across borders it may put at increased risk the ability of individuals to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts.
(91) When personal data moves across borders outside the Union it may put at increased risk the ability of individuals to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, there is a need to promote closer co-operation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts. For the purposes of developing international co-operation mechanisms to facilitate and provide international
VH/np DGD 2C
30
LIMITE
EN
mutual assistance for the enforcement of legislation for the protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in compliance with the provisions of this Regulation, including those laid down in Chapter V. Amendment 74 (110) At Union level, a European Data Protection Board should be set up. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of a head of a supervisory authority of each Member State and of the European Data Protection Supervisor. The Commission should participate in its activities. The European Data Protection Board should contribute to the consistent application of this
9985/1/15 REV 1 ANNEX
(110) At Union level, a European Data Protection Board should be set up. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of a head of a supervisory authority of each Member State and of the European Data Protection Supervisor. The Commission should participate in its activities. The European Data Protection Board should contribute to the consistent application of this
(110) In order to promote the consistent application of this Regulation, At Union level, a the European Data Protection Board should be set up as an independent body of the Union. To fulfil its objectives, the European Data Protection Board should have legal personality. The European Data Protection Board should be represented by its Chair. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data
VH/np DGD 2C
31
LIMITE
EN
Regulation throughout the Union, including by advising the Commission and promoting cooperation of the supervisory authorities throughout the Union. The European Data Protection Board should act independently when exercising its tasks.
9985/1/15 REV 1 ANNEX
Regulation throughout the Union, including by advising the Commission institutions of the Union and promoting co-operation of the supervisory authorities throughout the Union, including the coordination of joint operations. The European Data Protection Board should act independently when exercising its tasks. The European Data Protection Board should strengthen the dialogue with concerned stakeholders such as data subjects’ associations, consumer organisations, data controllers and other relevant stakeholders and experts.
established by Directive 95/46/EC. It should consist of a head of a supervisory authority of each Member State or his or her representativeand of the The Commission and the European Data Protection Supervisor. The Commissionshould participate in its activities without voting rights. The European Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international organisations, and promoting cooperation of the supervisory authorities throughout the Union. The European Data Protection Board should act independently when exercising its tasks.
VH/np DGD 2C
32
LIMITE
EN
Article 3
Article 3
Article 3
Territorial scope
Territorial scope
Territorial scope
Amendment 97 1.This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether the processing takes place in the Union or not.
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.
2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller or processor not established in the Union, where the processing activities are related to:
2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the Union; or
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(a) the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in the Union; or
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
33
LIMITE
EN
(b) the monitoring of their behaviour.
(b) the monitoring of their behaviour (b) the monitoring of their behaviour such data subjects. as far as their behaviour takes place within the European Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
9985/1/15 REV 1 ANNEX
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
VH/np DGD 2C
34
LIMITE
EN
Article 4
Article 4
Article 4
Definitions
Definitions
Definitions
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and may be addressed by any supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;
9985/1/15 REV 1 ANNEX
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and may be addressed by any supervisory authority and other bodies in the Union instead of represents the controller, with regard to the obligations of the controller under this Regulation;
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller in writing pursuant to Article 25, represents acts and may be addressed by any supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;
VH/np DGD 2C
35
LIMITE
EN
(17) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings;
(17) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings;
(17) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or group of enterprises engaged in a joint economic activity; (21) 'international organisation' means an organisation and its subordinate bodies governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries;
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
36
LIMITE
EN
Article 25
Article 25
Article 25
Representatives of controllers not
Representatives of controllers not
Representatives of controllers not
established in the Union
established in the Union
established in the Union
Amendment 120 1. In the situation referred to in Article 3(2), the controller shall designate a representative in the Union.
1. In the situation referred to in Article 3(2), the controller shall designate a representative in the Union.
2. This obligation shall not apply to:
2. This obligation shall not apply to: 2. This obligation shall not apply to:
(a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or
(a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or
9985/1/15 REV 1 ANNEX
1. In the situation referred to in Where Article 3(2) applies, the controller shall designate in writing a representative in the Union.
deleted
VH/np DGD 2C
37
LIMITE
EN
(b) an enterprise employing fewer than 250 persons; or
(b) an enterprise employing fewer than 250 personsa controller processing personal data which relates to less than 5000 data subjects during any consecutive 12-month period and not processing special categories of personal data as referred to in Article 9(1), location data or data on children or employees in largescale filing systems; or
(b) an enterprise employing fewer than 250 persons processing which is occasional and unlikely to result in a risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing; or
(c) a public authority or body; or
(c) a public authority or body; or
(c) a public authority or body; or
(d) a controller offering only occasionally goods or services to data subjects residing in the Union.
(d) a controller offering only occasionally offering goods or services to data subjects residing in the Union, unless the processing of personal data concerns special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large-scale filing systems.
deleted
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
38
LIMITE
EN
3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.
3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them the data subjects, or whose behaviour is monitored, reside the monitoring of them, takes place.
3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.
3a. The representative shall be mandated by the controller to be addressed in addition to or instead of the controller by, in particular, supervisory authorities and data subjects, on all issues related to the processing of personal data, for the purposes of ensuring compliance with this Regulation. 4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.
9985/1/15 REV 1 ANNEX
4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.
4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.
VH/np DGD 2C
39
LIMITE
EN
CHAPTER V TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
CHAPTER V TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
CHAPTER V TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
OR INTERNATIONAL
OR INTERNATIONAL
ORGANISATIONS
ORGANISATIONS
Article 40
Article 40
Article 40
General principle for transfers
General principle for transfers
General principle for transfers
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this
9985/1/15 REV 1 ANNEX
Any transfer of personal data which deleted are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter
VH/np DGD 2C
40
LIMITE
EN
Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
9985/1/15 REV 1 ANNEX
are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
VH/np DGD 2C
41
LIMITE
EN
Article 41
Article 41
Article 41
Transfers with an adequacy
Transfers with an adequacy
Transfers with an adequacy
decision
decision
decision
Amendment 137 1. A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.
1. A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further specific authorisation.
1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, or a territory or one or more specified a processing sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further specific authorisation.
2. When assessing the adequacy of the level of protection, the Commission shall give consideration to the following elements:
2. When assessing the adequacy of the level of protection, the Commission shall give consideration to the following elements:
2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of give consideration to the following elements:
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
42
LIMITE
EN
(a) the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;
9985/1/15 REV 1 ANNEX
(a) the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law as well as the implementation of this legislation, the professional rules and security measures which are complied with in that country or by that international organisation, jurisprudential precedents, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;
(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation in force, both general and sectoral, data protection including concerning public security, defence, national security and criminal law, the professional rules and security measures, including rules for onward transfer of personal data to another third country or international organisation, which are complied with in that country or by that international organisation, as well as the existences of effective and enforceable data subject rights including and effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;
VH/np DGD 2C
43
LIMITE
EN
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or international organisation in question responsible for ensuring compliance with the data protection rules, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Union and of Member States; and
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or international organisation in question responsible for ensuring compliance with the data protection rules, including sufficient sanctioning powers, for assisting and advising the data subjects in exercising their rights and for co-operation with the supervisory authorities of the Union and of Member States; and
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation in question is subject, with responsibleility for ensuring and enforcing compliance with the data protection rules including adequate sanctioning powers for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Union and of Member States;and
(c) the international commitments the third country or international organisation in question has entered into.
(c) the international commitments the third country or international organisation in question has entered into, in particular any legally binding conventions or instruments with respect to the protection of personal data.
(c) the international commitments the third country or international organisation in question concerned has entered into or other obligations arising from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
44
LIMITE
EN
2a. The European Data Protection Board shall give the Commission an opinion for the assessment of the adequacy of the level of protection in a third country or international organization, including for the assessment whether a third country or the territory or the international organization or the specified sector no longer ensures an adequate level of protection. 3. The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
9985/1/15 REV 1 ANNEX
3. The Commission may shall be empowered to adopt delegated acts in accordance with Article 86 to decide that a third country, or a territory or a processing sector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts Such delegated acts shall be adopted in accordance with the examination procedure referred to in Article 87(2) provide for a sunset clause if
3. The Commission, after assessing the adequacy of the level of protection, may decide that a third country, or a territory or one or more specified a processing sectors within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall specify its territorial and sectoral application and, where applicable, identify the (independent) supervisory authority(ies)
VH/np DGD 2C
45
LIMITE
EN
they concern a processing sector and shall be revoked according to paragraph 5 as soon as an adequate level of protection according to this Regulation is no longer ensured.
mentioned in point(b) of paragraph 2. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 87(2). 3a. Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5.
4. The implementing act shall specify its geographical and sectoral application, and, where applicable, identify the supervisory authority mentioned in point (b) of paragraph 2.
9985/1/15 REV 1 ANNEX
4. The implementing delegated act shall specify its geographical territorial and sectoral application, and, where applicable, identify the supervisory authority mentioned in point (b) of paragraph 2.
deleted
VH/np DGD 2C
46
LIMITE
EN
5. The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred. Those implementing acts shall be adopted in accordance
9985/1/15 REV 1 ANNEX
4a. The Commission shall, on an on-going basis, monitor developments in third countries and international organisations that could affect the elements listed in paragraph 2 where a delegated act pursuant to paragraph 3 has been adopted.
4a. The Commission shall monitor the functioning of decisions adopted pursuant to paragraph 3 and decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC.
5. The Commission mayshall be empowered to adopt delegated acts in accordance with Article 86 to decide that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure or no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union
5. The Commission may decide that a third country, or a territory or a processing specified sector within that third country, or an international organisation does not no longer ensures an adequate level of protection within the meaning of paragraph 2 and may, where necessary, repeal, amend or suspend such decision without retro-active effect of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data
VH/np DGD 2C
47
LIMITE
EN
with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3).
whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3).
subjects residing in the Union whose personal data are being transferred. Those The implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3). 5a. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the Decision made pursuant to paragraph 5.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
48
LIMITE
EN
6. Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, without prejudice to Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.
9985/1/15 REV 1 ANNEX
6. Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, without prejudice to Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision decision made pursuant to paragraph 5 of this Article.
6. Where the Commission decidesA decision pursuant to paragraph 5, any is without prejudice to transfers of personal data to the third country, or athe territory or a processing specified sector within that third country, or the international organisation in question shall be prohibited, without prejudice pursuant to Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.
VH/np DGD 2C
49
LIMITE
EN
6a. Prior to adopting a delegated act pursuant to paragraphs 3 and 5, the Commission shall request the European Data Protection Board to provide an opinion on the adequacy of the level of protection. To that end, the Commission shall provide the European Data Protection Board with all necessary documentation, including correspondence with the government of the third country, territory or processing sector within that third country or the international organisation. 7. The Commission shall publish in the Official Journal of the European Union a list of those third countries, territories and processing sectors within a third country and international organisations where it has decided that an adequate level of protection is or is not ensured.
9985/1/15 REV 1 ANNEX
7. The Commission shall publish in the Official Journal of the European Union and on its website a list of those third countries, territories and processing sectors within a third country and international organisations where it has decided that an adequate level of protection is or is not ensured.
7. The Commission shall publish in the Official Journal of the European Union a list of those third countries, territories and processing specified sectors within a third country and international organisations where it has decided that an adequate level of protection is or is not ensured in respect of which decisions have been taken pursuant to paragraphs 3, 3a and 5.
VH/np DGD 2C
50
LIMITE
EN
8. Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC shall remain in force, until amended, replaced or repealed by the Commission.
9985/1/15 REV 1 ANNEX
8. Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC shall remain in force until five years after the entry into force of this Regulation unless amended, replaced or repealed by the Commission before the end of this period.
deleted
VH/np DGD 2C
51
LIMITE
EN
Article 42
Article 42
Article 42
Transfers by way of appropriate
Transfers by way of appropriate
Transfers by way of appropriate
safeguards
safeguards
safeguards
Amendment 138 1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
9985/1/15 REV 1 ANNEX
1. Where the Commission has taken no decision pursuant to Article 41, or decides that a third country, or a territory or processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5), a controller or processor may not transfer personal data to a third country, territory or an international organisation unless the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
1. Where the Commission has taken no In the absence of a decision pursuant to paragraph 3 of Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguardswith respect to the protection of personal data in a legally binding instrument, also covering onward transfers.
VH/np DGD 2C
52
LIMITE
EN
2. The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by:
2. The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by:
2. The appropriate safeguards referred to in paragraph 1 shall may be provided for, in particularwithout requiring any specific authorisation from a supervisory authority, by: (oa) a legally binding and enforceable instrument between public authorities or bodies; or
(a) binding corporate rules in accordance with Article 43; or
(a) binding corporate rules in accordance with Article 43; or
(a) binding corporate rules in accordance with referred to in Article 43; or
(aa) a valid “European Data Protection Seal” for the controller and the recipient in accordance with paragraph 1e of Article 39; or (b) standard data protection clauses adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or
9985/1/15 REV 1 ANNEX
deleted
(b) standard data protection clauses adopted by the CommissionThose implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or
VH/np DGD 2C
53
LIMITE
EN
(c) standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or
(c) standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or
(c) standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid and adopted by the Commission pursuant to point (b) of Article 62(1)the examination procedure referred to in Article 87(2); or
(d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.
(d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.
(d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4. an approved code of conduct pursuant to Article 38 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
54
LIMITE
EN
(e) an approved certification mechanism pursuant to Article 39 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights. 2a. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by: (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the data in the third country or international organisation; or (b) (…) (c) (…) (d) provisions to be inserted into administrative arrangements between public authorities or bodies.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
55
LIMITE
EN
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation.
3. A transfer based on standard data protection clauses, a “European Data Protection Seal” or binding corporate rules as referred to in point (a), (b) (aa) or (c) of paragraph 2 shall not require any furtherspecific authorisation.
4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.
4. Where a transfer is based on deleted contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.
9985/1/15 REV 1 ANNEX
deleted
VH/np DGD 2C
56
LIMITE
EN
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
9985/1/15 REV 1 ANNEX
5. Where the appropriate safeguards deleted with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until two years after the entry into force of this Regulation unless amended, replaced or repealed by that supervisory authority before the end of that period.
VH/np DGD 2C
57
LIMITE
EN
5a. The supervisory authority shall apply the consistency mechanism in the cases referred to in points (ca), (d), (e) and (f) of Article 57 (2). 5b. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 2.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
58
LIMITE
EN
Article 43
Article 43
Article 43
Transfers by way of binding
Transfers by way of binding
Transfers by way of bBinding
corporate rules
corporate rules
corporate rules
Amendment 139 1. A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they:
1. AThe supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they:
1. A The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 5857 approve binding corporate rules, provided that they:
(a) are legally binding and apply to and are enforced by every member within the controller’s or processor's group of undertakings, and include their employees;
(a) are legally binding and apply to and are enforced by every member within the controller’s group of undertakings and those external subcontractors that are covered by the scope of the binding corporate rules, and include their employees;
(a) are legally binding and apply to and are enforced by every member concerned of the within the controller’s or processor's group of undertakings or group of enterprises engaged in a joint economic activity, and include their employees;
(b) expressly confer enforceable rights on data subjects;
(b) expressly confer enforceable rights on data subjects;
(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data;
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
59
LIMITE
EN
(c) fulfil the requirements laid down in paragraph 2.
(c) fulfil the requirements laid down (c) fulfil the requirements laid in paragraph 2 down in paragraph 2. 1a. With regard to employment data, the representatives of the employees shall be informed about and, in accordance with Union or Member State law and practice, be involved in the drawing-up of binding corporate rules pursuant to Article 43.
2. The binding corporate rules shall at least specify:
2. The binding corporate rules shall at least specify.
2. The binding corporate rules referred to in paragraph 1 shall at least specify at least :
(a) the structure and contact details of the group of undertakings and its members;
(a) the structure and contact details of the group of undertakings and its members and those external subcontractors that are covered by the scope of the binding corporate rules;
(a) the structure and contact details of the concerned group of undertakings and of each of its members;
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
60
LIMITE
EN
(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
(b) the data transfers or set categories of transfers, including the categories types of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
(c) their legally binding nature, both internally and externally;
(c) their legally binding nature, both internally and externally;
(c) their legally binding nature, both internally and externally;
(d) the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;
(d) the general data protection principles, in particular purpose limitation, data minimisation, limited retention periods, data quality, data protection by design and by default, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;
(d) application of the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive special categories of personal data;, measures to ensure data security;, and the requirements for in respect of onward transfers to organisations bodies which are not bound by the policiesbinding corporate rules;
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
61
LIMITE
EN
(e) the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
9985/1/15 REV 1 ANNEX
(e) the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
(e) the rights of data subjects in regard to the processing of their personal data and the means to exercise these rights, including the right not to be subject to a measure based on decisions based solely on automated processing, including profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
VH/np DGD 2C
62
LIMITE
EN
(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;
(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;
(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned of the group of undertakingsnot established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves on proving that that member is not responsible for the event giving rise to the damage;
(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11;
(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11;
(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Articles 1114 and 14a;
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
63
LIMITE
EN
(h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;
(h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;
(h) the tasks of the any data protection officer designated in accordance with Article 35 or any other person or entity in charge of the , including monitoring within the group of undertakings the compliance with the binding corporate rules within the group, as well as monitoring the training and complaint handling; (hh) the complaint procedures;
(i) the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules;
9985/1/15 REV 1 ANNEX
(i) the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules;
(i) the mechanisms within the group of undertakings aiming at for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred under point (h) and to the board of the controlling undertaking or of the group of enterprises, and should be available upon request to the competent supervisory authority;
VH/np DGD 2C
64
LIMITE
EN
(j) the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority;
(j) the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority;
(j) the mechanisms for reporting and recording changes to the policies rules and reporting these changes to the supervisory authority;
(k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph.
(k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph.
(k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph; (l) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
65
LIMITE
EN
(m) the appropriate data protection training to personnel having permanent or regular access to personal data. 2a. The European Data Protection Board shall advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.
9985/1/15 REV 1 ANNEX
3. The Commission shall be deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the format, procedures, criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, including transparency for data subjects, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.
VH/np DGD 2C
66
LIMITE
EN
4. The Commission may specify the deleted format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
9985/1/15 REV 1 ANNEX
4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
VH/np DGD 2C
67
LIMITE
EN
Amendment 140 Article 43a (new) Transfers or disclosures not authorised by Union law 1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner, without prejudice to a mutual legal assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
68
LIMITE
EN
2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer or disclosure by the supervisory authority. 3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of Article 44(1) and Article 44(5). Where data subjects from other Member States are affected, the supervisory authority shall apply the consistency mechanism referred to in Article 57.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
69
LIMITE
EN
4. The supervisory authority shall inform the competent national authority of the request. Without prejudice to Article 21, the controller or processor shall also inform the data subjects of the request and of the authorisation by the supervisory authority and where applicable inform the data subject whether personal data was provided to public authorities during the last consecutive 12month period, pursuant to point (ha) of Article 14(1).
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
70
LIMITE
EN
Article 44
Article 44
Article 44
Derogations
Derogations
Derogations for specific situations
Amendment 141 1. In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
1. In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
1. In the absence of an adequacy decision pursuant to paragraph 3 of Article 41, or of appropriate safeguards pursuant to Article 42, including binding corporate rules a transfer or a set category of transfers of personal data to a third country or an international organisation may take place only on condition that:
(a) the data subject has consented to the proposed transfer, after having been informed of the risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; or
(a) the data subject has consented to the proposed transfer, after having been informed of the risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; or
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the risks of that such transfers may involve risks for the data subject due to the absence of an adequacy decision and appropriate safeguards; or
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
71
LIMITE
EN
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken at the data subject's request; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken at the data subject's request; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken at the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or
(d) the transfer is necessary for important grounds of public interest; or
(d) the transfer is necessary for important grounds of public interest; or
(d) the transfer is necessary for important grounds reasons of public interest; or
(e) the transfer is necessary for the establishment, exercise or defence of legal claims; or
(e) the transfer is necessary for the establishment, exercise or defence of legal claims; or
(e) the transfer is necessary for the establishment, exercise or defence of legal claims; or
(f) the transfer is necessary in order to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent; or
(f) the transfer is necessary in order to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent; or
(f) the transfer is necessary in order to protect the vital interests of the data subject or of another persons, where the data subject is physically or legally incapable of giving consent; or
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
72
LIMITE
EN
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case; or
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case.
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case; or
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
deleted
(h) the transfer, which is not large scale or frequent, is necessary for the purposes of the legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate suitable safeguards with respect to the protection of personal data, where necessary.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
73
LIMITE
EN
2. A transfer pursuant to point (g) of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. When the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
2. A transfer pursuant to point (g) of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. When the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
3. Where the processing is based on deleted point (h) of paragraph 1, the controller or processor shall give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced appropriate safeguards with respect to the protection of personal data, where necessary.
9985/1/15 REV 1 ANNEX
2. A transfer pursuant to point (g) of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. When the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients. deleted
VH/np DGD 2C
74
LIMITE
EN
4. Points (b), (c) and (h) of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their public powers.
4. Points (b), and (c) and (h) of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their public powers.
4. Points (a), (b), (c) and (h) of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their public powers.
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject.
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject.
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the national law of the Member State to which the controller is subject. 5a. In the absence of an adequacy decision, Union law or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
75
LIMITE
EN
6. The controller or processor shall deleted document the assessment as well as the appropriate safeguards adduced referred to in point (h) of paragraph 1 of this Article in the documentation referred to in Article 28 and shall inform the supervisory authority of the transfer. 7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying 'important grounds of public interest' within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1.
9985/1/15 REV 1 ANNEX
6. The controller or processor shall document the assessment as well as the appropriate suitable safeguards adduced referred to in point (h) of paragraph 1 of this Article in the documentation records referred to in Article 28and shall inform the supervisory authority of the transfer.
7. The Commission European Data deleted Protection Board shall be empowered to adopt delegated acts in accordance with Article 86 entrusted with the task of issuing guidelines, recommendations and best practices in accordance with point (b) of Article 66(1) for the purpose of further specifying 'important grounds of public interest' within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) data transfers on the basis of paragraph 1.
VH/np DGD 2C
76
LIMITE
EN
Article 45
Article 45
Article 45
International co-operation for the
International co-operation for the
International co-operation for the
protection of personal data
protection of personal data
protection of personal data
Amendment 142 1. In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:
1. In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:
1. In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:
(a) develop effective international co-operation mechanisms to facilitate the enforcement of legislation for the protection of personal data;
(a) develop effective international co-operation mechanisms to facilitate ensure the enforcement of legislation for the protection of personal data;
(a) develop effective international co-operation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
(b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
(b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
(b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
77
LIMITE
EN
(c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
(c) engage relevant stakeholders in discussion and activities aimed at furthering international co-operation in the enforcement of legislation for the protection of personal data;
(c) engage relevant stakeholders in discussion and activities aimed at furthering promoting international co-operation in the enforcement of legislation for the protection of personal data;
(d) promote the exchange and documentation of personal data protection legislation and practice.
d) promote the exchange and documentation of personal data protection legislation and practice;
(d) promote the exchange and documentation of personal data protection legislation and practice.
Amendment 143 (da) clarify and consult on jurisdictional conflicts with third countries. 2. For the purposes of paragraph 1, the Commission shall take appropriate steps to advance the relationship with third countries or international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 41(3).
9985/1/15 REV 1 ANNEX
2. For the purposes of paragraph 1, the Commission shall take appropriate steps to advance the relationship with third countries or international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 41(3).
deleted
VH/np DGD 2C
78
LIMITE
EN
Amendment 144 Article 45a (new) Report by the Commission The Commission shall submit to the European Parliament and the Council at regular intervals, starting not later than four years after the date referred to in Article 91(1), a report on the application of Articles 40 to 45. For that purpose, the Commission may request information from the Member States and supervisory authorities, which shall be supplied without undue delay. The report shall be made public.
9985/1/15 REV 1 ANNEX
VH/np DGD 2C
79
LIMITE
EN
